TB
Uploaded byTaswar Bhatti
PPTX, PDF8,147 views

Using Vault for your Nodejs Secrets

The document discusses the management of secrets in Node.js applications using Vault, highlighting the risks associated with secret sprawl in source code and configuration management. It details Vault's capabilities for centralized secret management, including encryption, access controls, dynamic secrets, and an audit trail while emphasizing the importance of securely unsealing the vault with multiple keys. Additionally, it covers practical applications for integrating Vault with Docker and Kubernetes for secure authentication and role-based access control.

Embed presentation

Downloaded 12 times
Using vault for your NodeJS Secrets Taswar Bhatti – Solutions Architect Gemalto
Secrets •
About me • Taswar Bhatti (Microsoft MVP) • @taswarbhatti • http://taswar.zeytinsoft.com • Gemalto (System Architect)
So what are secrets? • Secrets grants you AuthN or AuthZ to a system • Examples • Username & Passwords • Database credentials • API Token • TLS Certs
Secret Sprawl • Secrets ends up in • Source Code • Version Control Systems (Github, Gitlab, Bitbucket etc) • Configuration Management (Chef, Puppet, Ansible etc)
Issues • How do we know who has access to those secrets • When was the last time they accessed it? • What if we want to change/rotate the secrets
Desire secrets • Encryption in rest and transit • Only decrypted in memory • Access control • Rotation & Revocation
Secret Management - Vault • Centralized Secret Management • Encrypted at rest and transit • Lease and Renewal • ACL • Audit Trail • Multiple Client Auth Method (Ldap,Github, approle) • Dynamic Secrets • Encryption as a Service
Dynamic Secrets • Allows one to lease a secret for a period of time e.g 2 hrs • Generates on demand and unique for each user/consumption • Audit trail
Secure Secrets • AES 256 with GCM encryption • TLS 1.2 for clients • No HSM is required
Unsealing the Vault • Vault requires encryption keys to encrypt data • Shamir Secret Key Sharing • Master key is split into multiple keys
Shamir Secret Sharing
Unseal • Unseal Key 1: QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B • Unseal Key 2: 1pxViFucRZDJ+kpXAeefepdmLwU6QpsFZwseOIPqaPAC • Unseal Key 3: bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD • Unseal Key 4: o40xl6lcQo8+DgTQ0QJxkw0BgS5n6XHNtWOgBbt7LKYE • Unseal Key 5: Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF • Initial Root Token: 5b781ff4-eee8-d6a1-ea42-88428a7e8815 • Vault initialized with 5 keys and a key threshold of 3. Please • securely distribute the above keys. When the Vault is re-sealed, • restarted, or stopped, you must provide at least 3 of these keys • to unseal it again. • Vault does not store the master key. Without at least 3 keys, • your Vault will remain permanently sealed.
How to unseal • vault unseal -address=${VAULT_ADDR} QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B • vault unseal -address=${VAULT_ADDR} bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD • vault unseal -address=${VAULT_ADDR} Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF
Writing Secrets • vault write -address=${VAULT_ADDR} secret/hello value=world • vault read -address=${VAULT_ADDR} secret/hello • Key Value • --- ----- • refresh_interval 768h0m0s • Value world
Policy on secrets • We can assign application roles to the policy path "secret/web/*" { policy = "read" } • vault policy write -address=${VAULT_ADDR} web-policy ${DIR}/web-policy.hcl
Reading secrets based on policy • vault read -address=${VAULT_ADDR} secret/web/web-apps • vault read -address=${VAULT_ADDR} secret/hello • Error reading secret/hello: Error making API request. • URL: GET http://127.0.0.1:8200/v1/secret/hello • Code: 403. Errors: • * permission denied
Demo Using Vault
Demo Docker Environment VAR • Issues with env variables
Mount Temp File System into App • docker run –v /hostsecerts:/secerts …. • To mitigate reading from Env • Store your wrap token in the filesystem to use with vault • Have limit time on wrap token
Wrap Token for App Secrets • Limit time token • Used to unwrap some secrets • vault read -wrap-ttl=60s -address=http://127.0.0.1:8200 secret/weatherapp/config • Key Value • --- ----- • wrapping_token: 35093b2a-60d4-224d-5f16-b802c82de1e7 • wrapping_token_ttl: 1m0s • wrapping_token_creation_time: 2017-09-06 09:29:03.4892595 +0000 UTC • wrapping_token_creation_path: secret/weatherapp/config
App Roles • Allows machines or apps to authenticate with Vault • Using a role_id and secret_id as credentials • Assign polices to the app • Once logged in you get back a token to get secrets
Demo App Using Node
Kubernetes with Vault • Read Service Account JWT • App Sends Jwt and Role Name to Vault • Vault checks the signature of Jwt • Sends to TokenReviewer API • Vault sends back valid token for app
Thankyou • Contact me (taswar.bhatti@gemalto.com) • @taswarbhatti

More Related Content

PPTX
Nodejsvault austin2019
byTaswar Bhatti
 
PPTX
Cloud patterns forwardjs April Ottawa 2019
byTaswar Bhatti
 
PPTX
Managing your secrets in a cloud environment
byTaswar Bhatti
 
PPTX
Azure key vault - Brisbane User Group
byRahul Nath
 
PPTX
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
byTom Kerkhove
 
PPTX
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
byTom Kerkhove
 
PPTX
Azure key vault
byRahul Nath
 
PPTX
Securing sensitive data with Azure Key Vault
byTom Kerkhove
 
Nodejsvault austin2019
byTaswar Bhatti
 
Cloud patterns forwardjs April Ottawa 2019
byTaswar Bhatti
 
Managing your secrets in a cloud environment
byTaswar Bhatti
 
Azure key vault - Brisbane User Group
byRahul Nath
 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
byTom Kerkhove
 
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
byTom Kerkhove
 
Azure key vault
byRahul Nath
 
Securing sensitive data with Azure Key Vault
byTom Kerkhove
 

What's hot

PPTX
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
byTom Kerkhove
 
PPTX
Azure Key Vault - Getting Started
byTaswar Bhatti
 
PDF
Secret Management with Hashicorp’s Vault
byAWS Germany
 
PPTX
Secret Management with Hashicorp Vault and Consul on Kubernetes
byAn Nguyen
 
PDF
Credential store using HashiCorp Vault
byMayank Patel
 
PDF
Hashicorp Vault: Open Source Secrets Management at #OPEN18
byKangaroot
 
PDF
Overview of secret management solutions and architecture
byYuechuan (Mike) Chen
 
PDF
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
byHashiCorp
 
PPTX
Global Azure Bootcamp 2017 - Azure Key Vault
byAlberto Diaz Martin
 
PPT
Steve Jones - Encrypting Data
byRed Gate Software
 
PDF
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
byDynamicInfraDays
 
PPTX
Blockchain on AWS
byAWS Riyadh User Group
 
PPTX
Securing Your MongoDB Deployment
byMongoDB
 
PDF
Network security with Azure PaaS services by Erwin Staal from 4DotNet at Azur...
byDevClub_lv
 
PDF
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
byDevClub_lv
 
PPTX
Cloud Design Patterns - Hong Kong Codeaholics
byTaswar Bhatti
 
PPTX
Securing AWS Accounts with Hashi Vault
byShrivatsa Upadhye
 
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
byTom Kerkhove
 
Azure Key Vault - Getting Started
byTaswar Bhatti
 
Secret Management with Hashicorp’s Vault
byAWS Germany
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
byAn Nguyen
 
Credential store using HashiCorp Vault
byMayank Patel
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
byKangaroot
 
Overview of secret management solutions and architecture
byYuechuan (Mike) Chen
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
byHashiCorp
 
Global Azure Bootcamp 2017 - Azure Key Vault
byAlberto Diaz Martin
 
Steve Jones - Encrypting Data
byRed Gate Software
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
byDynamicInfraDays
 
Blockchain on AWS
byAWS Riyadh User Group
 
Securing Your MongoDB Deployment
byMongoDB
 
Network security with Azure PaaS services by Erwin Staal from 4DotNet at Azur...
byDevClub_lv
 
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
byDevClub_lv
 
Cloud Design Patterns - Hong Kong Codeaholics
byTaswar Bhatti
 
Securing AWS Accounts with Hashi Vault
byShrivatsa Upadhye
 

Similar to Using Vault for your Nodejs Secrets

PDF
Introducing Vault
byRamit Surana
 
PPTX
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
byStenio Ferreira
 
PDF
Hiding secrets in Vault
byNeven Rakonić
 
PDF
Hashicorp Vault Associate Certification Concepts Part 2
byAdnan Rashid
 
PPTX
Secure your Config with Key Vault for Node.JS
byLakshman S
 
PDF
Vault
bydawnlua
 
PDF
Vault 101
byHazzim Anaya
 
PDF
Issuing temporary credentials for my sql using hashicorp vault
byOlinData
 
PPTX
Hashicorp Vault ppt
byShrey Agarwal
 
PPTX
MuleSoft_Meetup_#6_Chandigarh_April_2021
bySuresh Rathore
 
PDF
Vault and Security as a Service
byPatrick Shields
 
PDF
Keybase Vault Auto-Unseal HashiTalks2020
byBas Meijer
 
PPTX
Vault w/ config injection kubernetes canada
byJean-Philippe Bélanger
 
PDF
Secrets management vault cncf meetup
byJuraj Hantak
 
PDF
Vault 1.0: How to Auto-Unseal and Other New Features
byMitchell Pronschinske
 
PDF
Vault 1.1: Secret Caching with Vault Agent and Other New Features
byMitchell Pronschinske
 
PPTX
Vault Digital Transformation
byStenio Ferreira
 
PDF
HashiCorp Vault Workshop:幫 Credentials 找個窩
bysmalltown
 
PDF
Vault Associate Certification Internals
byAdnan Rashid
 
PDF
Introduction to vault
byHenrik Høegh
 
Introducing Vault
byRamit Surana
 
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
byStenio Ferreira
 
Hiding secrets in Vault
byNeven Rakonić
 
Hashicorp Vault Associate Certification Concepts Part 2
byAdnan Rashid
 
Secure your Config with Key Vault for Node.JS
byLakshman S
 
Vault
bydawnlua
 
Vault 101
byHazzim Anaya
 
Issuing temporary credentials for my sql using hashicorp vault
byOlinData
 
Hashicorp Vault ppt
byShrey Agarwal
 
MuleSoft_Meetup_#6_Chandigarh_April_2021
bySuresh Rathore
 
Vault and Security as a Service
byPatrick Shields
 
Keybase Vault Auto-Unseal HashiTalks2020
byBas Meijer
 
Vault w/ config injection kubernetes canada
byJean-Philippe Bélanger
 
Secrets management vault cncf meetup
byJuraj Hantak
 
Vault 1.0: How to Auto-Unseal and Other New Features
byMitchell Pronschinske
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
byMitchell Pronschinske
 
Vault Digital Transformation
byStenio Ferreira
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
bysmalltown
 
Vault Associate Certification Internals
byAdnan Rashid
 
Introduction to vault
byHenrik Høegh
 

More from Taswar Bhatti

PPTX
Get productive with python Visual Studio 2019
byTaswar Bhatti
 
PPTX
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
byTaswar Bhatti
 
PPTX
8 cloud design patterns you ought to know - Update Conference 2018
byTaswar Bhatti
 
PPTX
Intro elasticsearch taswarbhatti
byTaswar Bhatti
 
PPTX
Cloud patterns at Carleton University
byTaswar Bhatti
 
PPTX
Cloud Design Patterns
byTaswar Bhatti
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
PPTX
Devteach 2017 Store 2 million of audit a day into elasticsearch
byTaswar Bhatti
 
PPTX
An introduction to Microsoft Bot Framework
byTaswar Bhatti
 
PPTX
Dev days 1 Introduction to Xamarin Taswar Bhatti
byTaswar Bhatti
 
PPTX
Xamarin forms introduction by Taswar Bhatti and Ahmed Assad
byTaswar Bhatti
 
PPTX
Docker for .NET Developers
byTaswar Bhatti
 
PPTX
Docker for .NET Developers
byTaswar Bhatti
 
PPTX
Akka.Net Ottawa .NET User Group Meetup
byTaswar Bhatti
 
Get productive with python Visual Studio 2019
byTaswar Bhatti
 
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
byTaswar Bhatti
 
8 cloud design patterns you ought to know - Update Conference 2018
byTaswar Bhatti
 
Intro elasticsearch taswarbhatti
byTaswar Bhatti
 
Cloud patterns at Carleton University
byTaswar Bhatti
 
Cloud Design Patterns
byTaswar Bhatti
 
Devteach 2017 OAuth and Open id connect demystified
byTaswar Bhatti
 
Devteach 2017 Store 2 million of audit a day into elasticsearch
byTaswar Bhatti
 
An introduction to Microsoft Bot Framework
byTaswar Bhatti
 
Dev days 1 Introduction to Xamarin Taswar Bhatti
byTaswar Bhatti
 
Xamarin forms introduction by Taswar Bhatti and Ahmed Assad
byTaswar Bhatti
 
Docker for .NET Developers
byTaswar Bhatti
 
Docker for .NET Developers
byTaswar Bhatti
 
Akka.Net Ottawa .NET User Group Meetup
byTaswar Bhatti
 

Recently uploaded

PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 

Using Vault for your Nodejs Secrets

  • 1.
    Using vault foryour NodeJS Secrets Taswar Bhatti – Solutions Architect Gemalto
  • 2.
  • 3.
    About me • TaswarBhatti (Microsoft MVP) • @taswarbhatti • http://taswar.zeytinsoft.com • Gemalto (System Architect)
  • 4.
    So what aresecrets? • Secrets grants you AuthN or AuthZ to a system • Examples • Username & Passwords • Database credentials • API Token • TLS Certs
  • 5.
    Secret Sprawl • Secretsends up in • Source Code • Version Control Systems (Github, Gitlab, Bitbucket etc) • Configuration Management (Chef, Puppet, Ansible etc)
  • 6.
    Issues • How dowe know who has access to those secrets • When was the last time they accessed it? • What if we want to change/rotate the secrets
  • 7.
    Desire secrets • Encryptionin rest and transit • Only decrypted in memory • Access control • Rotation & Revocation
  • 8.
    Secret Management -Vault • Centralized Secret Management • Encrypted at rest and transit • Lease and Renewal • ACL • Audit Trail • Multiple Client Auth Method (Ldap,Github, approle) • Dynamic Secrets • Encryption as a Service
  • 9.
    Dynamic Secrets • Allowsone to lease a secret for a period of time e.g 2 hrs • Generates on demand and unique for each user/consumption • Audit trail
  • 10.
    Secure Secrets • AES256 with GCM encryption • TLS 1.2 for clients • No HSM is required
  • 11.
    Unsealing the Vault •Vault requires encryption keys to encrypt data • Shamir Secret Key Sharing • Master key is split into multiple keys
  • 12.
  • 13.
    Unseal • Unseal Key1: QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B • Unseal Key 2: 1pxViFucRZDJ+kpXAeefepdmLwU6QpsFZwseOIPqaPAC • Unseal Key 3: bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD • Unseal Key 4: o40xl6lcQo8+DgTQ0QJxkw0BgS5n6XHNtWOgBbt7LKYE • Unseal Key 5: Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF • Initial Root Token: 5b781ff4-eee8-d6a1-ea42-88428a7e8815 • Vault initialized with 5 keys and a key threshold of 3. Please • securely distribute the above keys. When the Vault is re-sealed, • restarted, or stopped, you must provide at least 3 of these keys • to unseal it again. • Vault does not store the master key. Without at least 3 keys, • your Vault will remain permanently sealed.
  • 14.
    How to unseal •vault unseal -address=${VAULT_ADDR} QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B • vault unseal -address=${VAULT_ADDR} bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD • vault unseal -address=${VAULT_ADDR} Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF
  • 15.
    Writing Secrets • vaultwrite -address=${VAULT_ADDR} secret/hello value=world • vault read -address=${VAULT_ADDR} secret/hello • Key Value • --- ----- • refresh_interval 768h0m0s • Value world
  • 16.
    Policy on secrets •We can assign application roles to the policy path "secret/web/*" { policy = "read" } • vault policy write -address=${VAULT_ADDR} web-policy ${DIR}/web-policy.hcl
  • 17.
    Reading secrets basedon policy • vault read -address=${VAULT_ADDR} secret/web/web-apps • vault read -address=${VAULT_ADDR} secret/hello • Error reading secret/hello: Error making API request. • URL: GET http://127.0.0.1:8200/v1/secret/hello • Code: 403. Errors: • * permission denied
  • 18.
  • 19.
    Demo Docker EnvironmentVAR • Issues with env variables
  • 20.
    Mount Temp FileSystem into App • docker run –v /hostsecerts:/secerts …. • To mitigate reading from Env • Store your wrap token in the filesystem to use with vault • Have limit time on wrap token
  • 21.
    Wrap Token forApp Secrets • Limit time token • Used to unwrap some secrets • vault read -wrap-ttl=60s -address=http://127.0.0.1:8200 secret/weatherapp/config • Key Value • --- ----- • wrapping_token: 35093b2a-60d4-224d-5f16-b802c82de1e7 • wrapping_token_ttl: 1m0s • wrapping_token_creation_time: 2017-09-06 09:29:03.4892595 +0000 UTC • wrapping_token_creation_path: secret/weatherapp/config
  • 22.
    App Roles • Allowsmachines or apps to authenticate with Vault • Using a role_id and secret_id as credentials • Assign polices to the app • Once logged in you get back a token to get secrets
  • 23.
  • 24.
    Kubernetes with Vault •Read Service Account JWT • App Sends Jwt and Role Name to Vault • Vault checks the signature of Jwt • Sends to TokenReviewer API • Vault sends back valid token for app
  • 25.
    Thankyou • Contact me(taswar.bhatti@gemalto.com) • @taswarbhatti